Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Dr. Gaurd problems.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Dr. Gaurd problems.

Unread postby matrix1539 » March 6th, 2010, 3:43 pm

uninstall list

Adobe AIR
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Compatibility Pack for the 2007 Office system
Connect
Dr. Guard
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iTunes
Java(TM) 6 Update 14
Junk Mail filter update
kuler
Label@Once 1.0
LimeWire 5.4.6
LogMeIn
Malwarebytes' Anti-Malware
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
MSVCRT
MyToshiba
NetZero Launcher
Norton Internet Security
Norton Internet Security
PDF Settings CS4
Photoshop Camera Raw
PlayReady PC Runtime x86
PowerISO
Quickbooks Financial Center
QuickTime
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Realtek WLAN Driver
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Skype Launcher
Suite Shared Configuration CS4
Synaptics Pointing Device Driver
Toshiba Application and Driver Installer
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA eco Utility
TOSHIBA eco Utility
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
TOSHIBA HDD/SSD Alert
Toshiba Online Backup
TOSHIBA PC Health Monitor
Toshiba Quality Application
TOSHIBA Recovery Media Creator
TOSHIBA Service Station
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
ToshibaRegistration
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb977719)
WildTangent Games
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver

Scan list
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:24 PM, on 3/6/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\toswaitsrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Users\As\AppData\Local\Temp\login.exe
C:\Users\As\AppData\Local\Temp\nvsvc32.exe
C:\Users\As\AppData\Local\Temp\winamp.exe
C:\Users\As\AppData\Local\Temp\setup.exe
C:\Users\As\AppData\Local\Temp\cmd.exe
C:\Users\As\AppData\Local\Temp\win16.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: C:\windows\system32\k22hrsjop.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\windows\system32\k22hrsjop.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
O4 - HKLM\..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
O4 - HKLM\..\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\windows\system32\k22hrsjop.dll, HUI_proc
O4 - HKCU\..\Run: [uishf9wuifwuh387fh3wufinhjfdwefe] C:\Users\As\appdata\local\temp\r1s2a4h .exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MyTOSHIBA] "C:\Program Files\TOSHIBA\My Toshiba\MyToshiba.exe" /AUTO
O4 - HKCU\..\Run: [msnmsgr] "C:\program files\windows live\messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [Dr. Guard] "C:\Users\As\AppData\Roaming\Dr. Guard\drguard.exe" -noscan
O4 - HKCU\..\Run: [asr64_ldm.exe] C:\Users\As\AppData\Local\Temp\asr64_ldm.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Users\As\AppData\Local\Temp\win16.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Remote System Protection] rundll32.exe C:\windows\system32\k22hrsjop.dll, HUI_proc (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Remote System Protection] rundll32.exe C:\windows\system32\k22hrsjop.dll, HUI_proc (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O20 - AppInit_DLLs: app_dll.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

--
End of file - 9787 bytes


Last week I tried installing PowerISO through an application in Limewire. Apparently after I opened the new app, maleware was installed on my laptop. The computer had many popups show up for Dr. Guard. I has previously installed Malwarebytes' anti-maleware on the computer. The program would not open. I tried opening restarting the computer using F8 and bringing up the boot menu to start windows in safemode with networking. Maleware did open this time. I updated maleware and proceeded to have it scan the entire computer. It found roughly 30 odd malicious objects. I deleted these objects and it said I needed to restart my computer to finish with the delete. I restarted my computer and it still had problems (i.e. random sound commercials playing in the background and popups). I tried starting again in safemode with networking and running malewarebytes because it would still not open while the computer was running in normal mode. Malewarebytes found more problems. I deleted the new objects and restarted in normal mode again. My computer is still making random noise commercials in the background. I still can't open malewarebytes. I thought about restoring the computer to before I installed the program, but for some reason there are no restore points even though I've looked. I have Windows 7 and I read through different forums and fixes on how to manually delete anything left on my computer. Thank you.
matrix1539
Active Member
 
Posts: 7
Joined: March 6th, 2010, 3:33 pm
Advertisement
Register to Remove

Re: Dr. Gaurd problems.

Unread postby Wingman » March 11th, 2010, 6:32 pm

Hello... Welcome to the forum.
My name is Wingman, and I'll be helping you with any malware problems.
The logs I request can take a while to research, so please be patient.

Before we begin...please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. DO NOT run any other fix or removal tools unless instructed to do so!
  3. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  4. Only- post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  5. Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
  6. Only- reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean"

I am currently reviewing your log and will return, as soon as possible, with additional instructions. In the meantime...
Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Vista - Windows 7 Users - Please Note:
The programs I ask you to run need to be installed and run in Administrator Mode by... Right clicking the installation file and the executable program file & selecting: Run as Administrator. Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program. When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator


Step 1.
P2P Advisory!
IMPORTANT There are signs of one or more P2P (Peer to Peer) File Sharing Programs installed on your computer.
Connect
LimeWire 5.4.6


As long as you have the P2P program(s) installed, per Forum Policy, I can offer you no further assitance.
If you choose NOT to remove the program(s)...indicate that in your next reply and this topic will be closed.
Otherwise, please perform the following steps:
Remove P2P Program(s)
  1. Click on Start > Control Panel and double click on Programs and Features.
  2. Locate the following program:
    Connect
    Dr. Guard
    LimeWire 5.4.6
  3. Click on the Change/Remove button to uninstall it.
    Carefully read any prompts...
    Some uninstallers prompt in a way to trick you into keeping the program, sometimes, preventing them from being uninstalled again!
    Repeat steps 2 and 3 for each program listed.
  4. When the program(s) have been uninstalled... Close Control Panel.
By using any form of P2P networking to download files you can anticipate infestations of malware to occur. The P2P program
itself, may be safe but the files may not... use P2P at your own risk! Keep in mind that this practice may be the source of your current malware infestation.
References... siting risk factors, using P2P programs: Malware: Help prevent the Infection and How to Prevent the Online Invasion of Spyware and Adware

Step 2.
ERUNT - Emergency Recovery Utility NT
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
This is a free program that allows you to keep a complete backup of your registry and restore it when needed.
ERUNT utility program
Download:

  1. Please download ERUNT...by Lars Hederer. Save it to your desktop.
  2. Double-click erunt-setup-exe to run the install process. Install ERUNT by following the prompts.
    VISTA/W7 users: right-click erunt-setup-exe, select "Run As Administrator" to run the install process. Install by following prompts.
  3. Use the default install settings...
  4. Make sure the first two check boxes -> (Create ERUNT and NTREGOPT desktop icons) are checked.
    Say "NO" if prompted or asked if you want to add ERUNT to the Start-Up folder. You can enable this later.
  5. Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
    VISTA/W7 users: right-click the desktop icon, select "Run As Administrator" or start it at the end of the setup process.
  6. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is fine.
  7. Click on OK ... then click on "YES" to create the folder.
Run:
This will create a full backup of your registry... ERUNT can be used to restore the registry from this backup, if needed.
  1. Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
    Vista/W7 users: right-click on ERUNT in the menu, then select "Run As Administrator". If UAC prompts, please allow it.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 3.
RSIT (Random's System Information Tool)
Please download RSIT by random/random... save it to your desktop.
  1. Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
  2. Please read the disclaimer... click on Continue.
  3. RSIT will start running. When done... 2 logs files...will be produced.
    The first one, "log.txt", <<will be maximized... the second one, "info.txt", <<will be minimized.
    These log files can be found in the C:\RSIT folder
  4. Please post both... "log.txt" and "info.txt", file contents in your next reply.

Step 4.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. RSIT log.txt and info.txt file contents.
  3. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Dr. Gaurd problems.

Unread postby matrix1539 » March 13th, 2010, 2:02 pm

I won't be able to get to my computer until possibly Monday. I will try to get to it on Sunday, the 14th, but I am currently out of town. Thanks.
matrix1539
Active Member
 
Posts: 7
Joined: March 6th, 2010, 3:33 pm

Re: Dr. Gaurd problems.

Unread postby Wingman » March 13th, 2010, 4:10 pm

OK... just keep me posted about any other delays. :)
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Dr. Gaurd problems.

Unread postby matrix1539 » March 14th, 2010, 5:50 pm

I ran RSIT and it wouldn't finish. I recieved this error message while it said "Listing services and drivers".
AutoIt Error
Line -1:
Error: Variable used without being declared


I ran the ERUNT and backed up my registry. I deleted Dr. Gaurd and Limewire, but I could not find Connect in my program list. I found it in still in the log through hijack this though.
I still have pop ups randomly coming up and I can't start malwarebytes' anti-maleware.



This is the current hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:03 PM, on 3/14/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\toswaitsrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Users\As\AppData\Local\Temp\mdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\As\AppData\Local\Temp\win.exe
C:\Users\As\AppData\Local\Temp\login.exe
C:\Users\As\AppData\Local\Temp\install.exe
C:\program files\logmein\x86\LMIGuardian.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Users\As\AppData\Local\Temp\user.exe
C:\Users\As\AppData\Local\Temp\avp.exe
C:\Users\As\AppData\Local\Temp\msinits.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: C:\windows\system32\k22hrsjop.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\windows\system32\k22hrsjop.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
O4 - HKLM\..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
O4 - HKLM\..\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\windows\system32\k22hrsjop.dll, HUI_proc
O4 - HKCU\..\Run: [uishf9wuifwuh387fh3wufinhjfdwefe] C:\Users\As\appdata\local\temp\r1s2a4h .exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MyTOSHIBA] "C:\Program Files\TOSHIBA\My Toshiba\MyToshiba.exe" /AUTO
O4 - HKCU\..\Run: [msnmsgr] "C:\program files\windows live\messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [Dr. Guard] "C:\Users\As\AppData\Roaming\Dr. Guard\drguard.exe" -noscan
O4 - HKCU\..\Run: [asr64_ldm.exe] C:\Users\As\AppData\Local\Temp\asr64_ldm.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Users\As\AppData\Local\Temp\mdm.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Remote System Protection] rundll32.exe C:\windows\system32\k22hrsjop.dll, HUI_proc (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\windows\system32\Macromed\Flash\FlashUtil10d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Remote System Protection] rundll32.exe C:\windows\system32\k22hrsjop.dll, HUI_proc (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\windows\system32\Macromed\Flash\FlashUtil10d.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O20 - AppInit_DLLs: app_dll.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

--
End of file - 10042 bytes
matrix1539
Active Member
 
Posts: 7
Joined: March 6th, 2010, 3:33 pm

Re: Dr. Gaurd problems.

Unread postby Wingman » March 16th, 2010, 7:58 am

Hello matrix1539,

Please read all instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Vista - Windows 7 Users - Please Note:
The programs I ask you to run need to be installed and run in Administrator Mode by... Right clicking the installation file and the executable program file & selecting: Run as Administrator. Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program. When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator


Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
    VISTA - W7 users: right-click on ERUNT from the menu, select "Run As Administrator", to run the process.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
Fix HijackThis entries
Important!
Please temporarily disable any anti-spyware programs you are using, listed Here
...so they will not interfere with the entries we will be fixing in HijackThis.
  1. Run HijackThis
    Vista - W7 users: Right click (hijackthis.exe) and choose "Run As Administrator".
    • If you are on the Main Menu page... Click "Do a system scan only"
    • If you are on the "scan & fix stuff" page... Press the Scan...button.
  2. When the scan finishes...Place a check mark next to the following entries (if they are still present):
      *Only check those items listed below*
      O2 - BHO: C:\windows\system32\k22hrsjop.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\windows\system32\k22hrsjop.dll
      O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\windows\system32\k22hrsjop.dll, HUI_proc
      O4 - HKCU\..\Run: [uishf9wuifwuh387fh3wufinhjfdwefe] C:\Users\As\appdata\local\temp\r1s2a4h .exe
      O4 - HKCU\..\Run: [Dr. Guard] "C:\Users\As\AppData\Roaming\Dr. Guard\drguard.exe" -noscan
      O4 - HKCU\..\Run: [asr64_ldm.exe] C:\Users\As\AppData\Local\Temp\asr64_ldm.exe
      O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Users\As\AppData\Local\Temp\mdm.exe
      O4 - HKUS\S-1-5-18\..\Run: [Remote System Protection] rundll32.exe C:\windows\system32\k22hrsjop.dll, HUI_proc (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [Remote System Protection] rundll32.exe C:\windows\system32\k22hrsjop.dll, HUI_proc (User 'Default user')
      O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
      O20 - AppInit_DLLs: app_dll.dll

      You can OPTIONALLY check these program entries. They automatically run at startup more for convenience than necessity and are available elsewhere, i.e. Start -> Programs. If you "fix" with HJT, you'll save resources, possibly improve performance. Your choice.
      O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask .exe" -atboottime
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
  3. After checking these items... CLOSE ALL open windows except HijackThis
  4. Click the Fix Checked...button. Choose YES...when prompted to fix the selected items.
  5. Once it has fixed them, close HijackThis and reboot your computer normally.

Step 3.
OTM
  1. Please download OTM.exe...by Old Timer. Save it to your desktop.
  2. Right click on OTM.exe and select Run As Administrator to run it. If Windows UAC prompts, please allow it.
  3. Please copy and paste the text in the Code box below, into OTM (1).
    Please refer to the OTM screen image below, for reference.
    Warning: Do not type it out... errors could damage your machine.
    Code: Select all
    :Processes
    :Files
    C:\Users\As\AppData\Local\Temp\mdm.exe
    C:\Users\As\AppData\Local\Temp\win.exe
    C:\Users\As\AppData\Local\Temp\login.exe
    C:\Users\As\AppData\Local\Temp\install.exe
    C:\Users\As\AppData\Local\Temp\user.exe
    C:\Users\As\AppData\Local\Temp\avp.exe
    C:\Users\As\AppData\Local\Temp\msinits.exe
    C:\windows\system32\k22hrsjop.dll 
    C:\Users\As\appdata\local\temp\r1s2a4h .exe
    C:\Users\As\AppData\Roaming\Dr. Guard
    C:\Users\As\AppData\Local\Temp\asr64_ldm.exe
    :Commands
    [EmptyTemp]
    [Start Explorer]
    [Reboot]


    Please refer to this image to use OTM.

    Image
  4. Click on MoveIt! (2)
  5. The end results of the processing will be in 2 places:
    • The Results window on the right side of the OTM screen.
    • A log (text) file created in "C:\_OTM\MovedFiles\mmddyyyy_hhmmss.log"
  6. Copy all the text from the Results window... Open Notepad, paste the OTM results into the Notepad file, save it on your desktop.
  7. Click Exit (3) when done.
  8. Please paste the entire content from the OTM (Results) window (Notepad file) or the OTM log file, in your next reply.
NOTE: If your computer did not automatically reboot... please reboot it (normally) now!
Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.

Step 4.
Command Line Search
I need you to perform a file search on your computer... please follow these steps:
  1. Press the Start button ...then press Run.
      If you do not have the RUN command on your Start Menu:
    • Click the Start Search box on the Start Menu.
  2. Copy/paste the following command into the text entry box.
    cmd /c dir C:\*.* /L /A /B /S|Find "app_dll.dll" >> "C:\fileloc.txt"
  3. Press the "OK"...button
    A file called "fileloc.txt" will be created on your C:\ drive C:\fileloc.txt. The command window will eventually close.
  4. Double click on this file... Notepad or Wordpad should open.
Please copy/paste the contents of the fileloc.txt file...in your next reply.

Step 5.
Post a New HJT Log
If using Vista, you must right click (hijackthis.exe) and choose "Run As Administrator".
  1. Run HijackThis
    • If you are on the "scan & fix stuff" page... Press the Main Menu...button.
  2. On the Main Menu...click on the "Do a system scan and save a Log file"...button.
  3. When the scan is finished... Notepad will open with a saved log file called "hijackthis.log"
  4. Paste the contents of hijackthis.log file in your next reply.

Step 6.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. OTM scan results.
  3. C:\fileloc.txt contents.
  4. New HJT log.
  5. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Dr. Gaurd problems.

Unread postby matrix1539 » March 16th, 2010, 10:16 pm

The random audio advirtising still exists and so do pop-ups on my computer.


OTM results
All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\Users\As\AppData\Local\Temp\mdm.exe moved successfully.
C:\Users\As\AppData\Local\Temp\win.exe moved successfully.
C:\Users\As\AppData\Local\Temp\login.exe moved successfully.
C:\Users\As\AppData\Local\Temp\install.exe moved successfully.
C:\Users\As\AppData\Local\Temp\user.exe moved successfully.
C:\Users\As\AppData\Local\Temp\avp.exe moved successfully.
C:\Users\As\AppData\Local\Temp\msinits.exe moved successfully.
C:\windows\system32\k22hrsjop.dll moved successfully.
C:\Users\As\appdata\local\temp\r1s2a4h .exe moved successfully.
File/Folder C:\Users\As\AppData\Roaming\Dr. Guard not found.
C:\Users\As\AppData\Local\Temp\asr64_ldm.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: As
->Temp folder emptied: 180779883 bytes
->Temporary Internet Files folder emptied: 161488306 bytes
->Java cache emptied: 25085 bytes
->Flash cache emptied: 47132 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8380700 bytes
RecycleBin emptied: 3003103003 bytes

Total Files Cleaned = 3,198.00 mb


OTM by OldTimer - Version 3.1.10.0 log created on 03162010_202216

Files moved on Reboot...
File C:\Users\As\AppData\Local\Temp\fla1D7B.tmp not found!
File C:\Users\As\AppData\Local\Temp\flaA5D0.tmp not found!
C:\Users\As\AppData\Local\Temp\r1s2a4h .exe moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\1x1[1].gif moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\788602521[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\ads[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\ads[3].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\ads[9].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\blank[2].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\blogad[5].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\celebgossipnet_com[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\gaw[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\iframe3CA0BLTON.htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\iframe3CA2WVGFJ.htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\so-you-think-you-can-dance-home2[2].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\stCA22S5TV moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\stCA5MA4KZ moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\stCARNIYTY moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\stCASF72VW moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\track_click[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\twilight-home2[2].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68L1KZDR\v=5;m=3;l=7060;c=61156;b=349746;ts=20100316211632;p=ui=_AQhWPSyS_WWMA;tr=oGxG-uWUVqH;tm=0-0[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41ZWLJDQ\ads[3].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41ZWLJDQ\ads[4].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41ZWLJDQ\compban[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41ZWLJDQ\GAM-Deluxe-728x90_Top[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41ZWLJDQ\img[1].htm moved successfully.
File C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41ZWLJDQ\leaderboard[1].htm not found!
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41ZWLJDQ\login_status[3].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41ZWLJDQ\login_status[5].htm moved successfully.
File C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41ZWLJDQ\medium_rectangle2[1].htm not found!
File C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41ZWLJDQ\sponsor_link1[1].htm not found!
File C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41ZWLJDQ\survey[1].htm not found!
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41ZWLJDQ\v=5;m=2;l=7060;c=61156;b=349746;p=ui=_AQhWPSyS_WWMA;tr=oGxG-uWUVqH;tm=0-0;ts=20100316211633;dct=;ord=20100316211633[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41GQG0JW\adlink_5132_906580_0_170_AdId=708559;BnId=1;itime=788601141;link=;ord=788601141[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41GQG0JW\ads[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41GQG0JW\blogad[3].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41GQG0JW\Drive-160x600-Double[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41GQG0JW\GAM-Deluxe-160x600[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41GQG0JW\GAM-Deluxe-728x90_Bottom[3].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41GQG0JW\GAM-Toolbar-300x250-All[1].htm moved successfully.
File C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41GQG0JW\get-smart-movie-trailer-50005[1].htm not found!
File C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41GQG0JW\iframe3CAYGM294.htm not found!
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41GQG0JW\illumistream[1].htm moved successfully.
File C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\41GQG0JW\medium_rectangle1[1].htm not found!
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\ads[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\ads[2].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\ads[8].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\ADTECH;adid=704417;bnid=-1;target=_blank;sub1=704463;misc=788601323[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\ADTECH;adid=708559;bnid=-1;target=_blank;sub1=708774;misc=788600454[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\dot0[1].jpg moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\Drive-160x600-Double[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\fluid[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\GAM-Deluxe-160x600[3].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\GAM-Deluxe-728x90_Bottom[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\GAM-Deluxe-728x90_Top[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\GAM-Toolbar-300x250-All[2].htm moved successfully.
File C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\login_status[11].htm not found!
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\mfnpreroll2[5].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\mfnpreroll2[6].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QPTGXVM\proxy[1].htm moved successfully.
C:\Users\As\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...


FILEOT results
c:\windows\system32\app_dll.dll
c:\windows\system32\app_dll.dll.138918.old
c:\windows\system32\app_dll.dll.140369.old
c:\windows\system32\app_dll.dll.145704.old
c:\windows\system32\app_dll.dll.148949.old
c:\windows\system32\app_dll.dll.150681.old
c:\windows\system32\app_dll.dll.170119.old
c:\windows\system32\app_dll.dll.179167.old
c:\windows\system32\app_dll.dll.184907.old
c:\windows\system32\app_dll.dll.190804.old
c:\windows\system32\app_dll.dll.19498767.old
c:\windows\system32\app_dll.dll.195094.old
c:\windows\system32\app_dll.dll.200586.old
c:\windows\system32\app_dll.dll.201007.old
c:\windows\system32\app_dll.dll.217418.old
c:\windows\system32\app_dll.dll.219493.old
c:\windows\system32\app_dll.dll.221521.old
c:\windows\system32\app_dll.dll.251536.old
c:\windows\system32\app_dll.dll.38848523.old
c:\windows\system32\app_dll.dll.52877677.old
c:\windows\system32\app_dll.dll.5592620.old
c:\windows\system32\app_dll.dll.6484493.old
c:\windows\system32\app_dll.dll
c:\windows\system32\app_dll.dll.138918.old
c:\windows\system32\app_dll.dll.140369.old
c:\windows\system32\app_dll.dll.145704.old
c:\windows\system32\app_dll.dll.148949.old
c:\windows\system32\app_dll.dll.150681.old
c:\windows\system32\app_dll.dll.170119.old
c:\windows\system32\app_dll.dll.179167.old
c:\windows\system32\app_dll.dll.184907.old
c:\windows\system32\app_dll.dll.190804.old
c:\windows\system32\app_dll.dll.19498767.old
c:\windows\system32\app_dll.dll.195094.old
c:\windows\system32\app_dll.dll.200586.old
c:\windows\system32\app_dll.dll.201007.old
c:\windows\system32\app_dll.dll.217418.old
c:\windows\system32\app_dll.dll.219493.old
c:\windows\system32\app_dll.dll.221521.old
c:\windows\system32\app_dll.dll.251536.old
c:\windows\system32\app_dll.dll.38848523.old
c:\windows\system32\app_dll.dll.52877677.old
c:\windows\system32\app_dll.dll.5592620.old
c:\windows\system32\app_dll.dll.6484493.old
c:\windows\system32\app_dll.dll
c:\windows\system32\app_dll.dll.138918.old
c:\windows\system32\app_dll.dll.140369.old
c:\windows\system32\app_dll.dll.145704.old
c:\windows\system32\app_dll.dll.148949.old
c:\windows\system32\app_dll.dll.150681.old
c:\windows\system32\app_dll.dll.170119.old
c:\windows\system32\app_dll.dll.179167.old
c:\windows\system32\app_dll.dll.184907.old
c:\windows\system32\app_dll.dll.190804.old
c:\windows\system32\app_dll.dll.19498767.old
c:\windows\system32\app_dll.dll.195094.old
c:\windows\system32\app_dll.dll.200586.old
c:\windows\system32\app_dll.dll.201007.old
c:\windows\system32\app_dll.dll.217418.old
c:\windows\system32\app_dll.dll.219493.old
c:\windows\system32\app_dll.dll.221521.old
c:\windows\system32\app_dll.dll.251536.old
c:\windows\system32\app_dll.dll.38848523.old
c:\windows\system32\app_dll.dll.52877677.old
c:\windows\system32\app_dll.dll.5592620.old
c:\windows\system32\app_dll.dll.6484493.old



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:40 PM, on 3/16/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal


Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Users\As\AppData\Local\Temp\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\As\AppData\Local\Temp\msinits.exe
C:\program files\logmein\x86\LMIGuardian.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: C:\windows\system32\k22hrsjop.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\windows\system32\k22hrsjop.dll (file missing)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
O4 - HKLM\..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
O4 - HKLM\..\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [MyTOSHIBA] "C:\Program Files\TOSHIBA\My Toshiba\MyToshiba.exe" /AUTO
O4 - HKCU\..\Run: [msnmsgr] "C:\program files\windows live\messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\windows\system32\k22hrsjop.dll, HUI_proc
O4 - HKCU\..\Run: [uishf9wuifwuh387fh3wufinhjfdwefe] C:\Users\As\appdata\local\temp\r1s2a4h .exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Users\As\AppData\Local\Temp\cmd.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\windows\TEMP\cmd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\windows\system32\Macromed\Flash\FlashUtil10d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\windows\TEMP\cmd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\windows\system32\Macromed\Flash\FlashUtil10d.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O20 - AppInit_DLLs: app_dll.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

--
End of file - 9258 bytes
matrix1539
Active Member
 
Posts: 7
Joined: March 6th, 2010, 3:33 pm

Re: Dr. Gaurd problems.

Unread postby Wingman » March 18th, 2010, 10:15 am

Hello matrix1539,
Thanks for geting those logs posted. Sorry for the delay getting back to you.

Please read all instructions carefully before executing and perform the steps, in the order given.lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Vista - Windows 7 Users - Please Note:
The programs I ask you to run need to be installed and run in Administrator Mode by... Right clicking the installation file and the executable program file & selecting: Run as Administrator. Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program. When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator


Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
    VISTA - W7 users: right-click on ERUNT from the menu, select "Run As Administrator", to run the process.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
CKScanner
Please download CKScanner ... Save it to your desktop.
Make sure that CKScanner.exe is on the your desktop before running the application!
  1. Double-click on the CKScanner.exe icon... then click the Search For Files button.
    Vista-W7 users: right click the (CKScanner.exe) icon and choose "Run As Administrator", then click the "Search For Files" button.
  2. When the scan is finished (the cursor hourglass disappears) click the Save List To File button.
    A text file will be created on your desktop named "ckfiles.txt"
  3. Click OK at the file saved message box. Double-click on the ckfiles.txt icon on your desktop.
  4. Please copy/paste the contents of ckfiles.txt in your next reply.

Step 3.
Defogger
CD Emulator Software (Daemon Tools, Alcohol, etc) use drivers that can interfere with rootkit scans, so we'll temporarily disable them.
Disable Drivers
Please download DeFogger... by jpshortstuff. Save it to your desktop.
  1. Double click DeFogger.exe to run the tool. The application window will appear.
    Vista - W7 users: Right-click on Defogger.exe and choose "Run As Administrator". If UAC prompted, allow it.
  2. Click the Disable button to disable your CD Emulation drivers.
  3. Click Yes to continue. A 'Finished!' message will appear. Click OK.
  4. Click OK when DeFogger asks to reboot the machine.
Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Step 4.
ComboFix
Please download ImageComboFix.exe... © Copyrighted to sUBs. Save it to your desktop. <<--- IMPORTANT!! .
Alternate download sites: Mirror #2 or Mirror #3

If you previously downloaded ComboFix, please delete that version and download it again. This tool is frequently updated.

The first thing you need to do is print out How-To-Use-ComboFix. Read these instructions thoroughly.
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

  1. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  2. Right click the ComboFix.exe icon on your desktop, select "Run As Administrator" to begin execution. If UAC prompts, allow it..
  3. Press Yes to the Disclaimer prompt.
    ComboFix screen appears... preparing to run. ComboFix will now begin creating a System Restore Point and then backup your registry.
  4. If not already installed... Press Yes to the "Install Recovery Console" prompt.
  5. Press Yes at the Recovery Console installation results prompt... Even if unsuccessful, have ComboFix continue the scan.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
    ComboFix will disconnect you from the Internet, may cause your desktop to disappear and also change your clock settings... this is normal, so don't worry. They will be restored when finished. The ComboFix window data will be changing with various "Stages"... completed. When finished the screen will show that a log is being created.
    ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.
    When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
  6. Please copy/paste the contents of log.txt... in your next reply.
Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Step 5.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. ckfiles.txt file contents.
  3. ComboFix log.txt file contents.
  4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Dr. Gaurd problems.

Unread postby matrix1539 » March 18th, 2010, 10:08 pm

CKfiles was unreachable through your link so I was unable to download. Also, Combofix would ask to run, but when I hit run it would do nothing even if I left the computer alone. It still has the pop ups and annoying audio from time to time.
matrix1539
Active Member
 
Posts: 7
Joined: March 6th, 2010, 3:33 pm

Re: Dr. Gaurd problems.

Unread postby Wingman » March 19th, 2010, 8:04 am

Hello matrix1539,
Sorry you had problems with the CKScanner link. I'm looking into it.

Step 1.
ESET NOD32 Online Scan
Vista - W7 users: You will need to to right-click on the IE or FF icons on the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
Note: If using Mozilla Firefox you will need to download "esetsmartinstaller_enu.exe" when prompted... then double click on it to install.

Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
** Make sure you are using an account that has Administrative privileges **
    Press the "ESET Online Scanner" button.
  1. Check the box next to "YES, I accept the Terms of Use."
  2. Click "Start"... a window will open... it may appear nothing is happening... please be patient.
  3. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
    Once installed, the scanner will be initialized.
  4. Click "Start". Make sure that the options:
    • Remove found threats is UNCHECKED
    • Leave the "default" settings under Advanced as they are, if not set , please check:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
  5. Click "Start"... ESET scanner will begin to download the virus signatures database.
    When the signatures have been downloaded, the scan will start automatically.
  6. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
  7. Use Notepad to open the log file located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  8. Copy and paste the contents of log.txt in your next reply.
Remember to enable your Anti-virus protection... before continuing!

Step 2.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. ESET scan results
  3. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Dr. Gaurd problems.

Unread postby matrix1539 » March 21st, 2010, 10:22 pm

The computer is still popping up random pages and has random audio. This is the result from the scan.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c28a9010bd5ece45ac7da1dd2c4f53e1
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-21 07:31:54
# local_time=2010-03-21 02:31:54 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 1208714 1208714 0 0
# compatibility_mode=3588 16777214 100 96 1692893 17347582 0 0
# compatibility_mode=5893 16776573 100 94 0 20739880 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=123537
# found=196
# cleaned=0
# scan_time=4825
C:\Program Files\Adobe\1129884.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\140088.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\141492.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\143193.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\143286.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\143754.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\147732.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\150119.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\151788.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\155751.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\171226.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\180352.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\186062.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\191959.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\19499968.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\1952851.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\196233.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\201709.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\202302.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\218541.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\220632.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\222738.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\252659.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\258774.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\38849584.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\52878832.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\5593774.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\6493884.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\acrotray .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Internet Explorer\js.mui a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Internet Explorer\wmpscfgs .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Internet Explorer\wmpscfgs.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.delme173 a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\QuickTime\qttask.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\TOSHIBA\My Toshiba\mytoshiba.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\TOSHIBA\TOSHIBA Service Station\toshibaservicestation.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Trend Micro\HijackThis\backups\backup-20100316-193057-834.dll a variant of Win32/Kryptik.CNY trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msnmsgr.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Wplblz32.dll a variant of Win32/Kryptik.CWI trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\3067894232.exe a variant of Win32/Kryptik.DBC trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\4204957294.exe a variant of Win32/Kryptik.DBC trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\avp.exe a variant of Win32/Kryptik.DBC trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\cmd .exe a variant of Win32/Kryptik.DBC trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\cmd .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\cmd .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\cmd .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\cmd .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\cmd .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\cmd .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\cmd .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\cmd .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\cmd.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\f142662 .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\f142803 .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\f143286 .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\f155298 .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\f1952368 .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\f258244 .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\mdm.exe a variant of Win32/Kryptik.DBC trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\msinits.exe a variant of Win32/TrojanDownloader.Small.OVD trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\r1s2a4h .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\vwwixjz.exe a variant of Win32/TrojanDownloader.Small.OVD trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\win16.exe a variant of Win32/Kryptik.DBC trojan 00000000000000000000000000000000 I
C:\Users\As\AppData\Local\Temp\wmpscfgs.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\Desktop\rundll32 .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\Desktop\rundll32.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Users\As\Desktop\AutoPlay\Docs\Symantec Norton Ghost 10\patch\Patch.exe probably a variant of Win32/Adware.Agent application 00000000000000000000000000000000 I
C:\Users\As\Desktop\AutoPlay\Docs\Symantec Norton PartitionMagic 8.05.1371\SymantecNortonPartitionMagic8.05.1371EN.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Windows\sssuh5133.exe a variant of Win32/Kryptik.CWI trojan 00000000000000000000000000000000 I
C:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVEMONITOR.EXE a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.138918.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.140369.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.141976.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.142132.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.142616.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.145704.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.148949.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.150681.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.154565.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.170119.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.179167.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.184907.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.190804.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.1943460.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.19498767.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.195094.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.200586.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.201007.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.217418.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.219493.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.221521.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.251536.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.257464.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.38848523.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.52877677.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.5592620.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\app_dll.dll.6484493.old a variant of Win32/Kryptik.CZR trojan 00000000000000000000000000000000 I
C:\Windows\System32\FastUv32.dll Win32/Agent.QTG trojan 00000000000000000000000000000000 I
C:\Windows\System32\rundll32.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Windows\System32\sshnas21.dll Win32/TrojanDownloader.FakeAlert.ARF trojan 00000000000000000000000000000000 I
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7QY4S292\tatra9[1].htm JS/Exploit.Agent.NBA trojan 00000000000000000000000000000000 I
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H2BKZSJE\TATRA9[1].htm JS/Exploit.Agent.NBA trojan 00000000000000000000000000000000 I
C:\Windows\Temp\cmd.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\Windows\Temp\wmpscfgs.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\03162010_202216\C_Users\As\AppData\Local\Temp\asr64_ldm.exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\03162010_202216\C_Users\As\AppData\Local\Temp\avp.exe a variant of Win32/Kryptik.DBC trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\03162010_202216\C_Users\As\AppData\Local\Temp\install.exe a variant of Win32/Kryptik.DBC trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\03162010_202216\C_Users\As\AppData\Local\Temp\login.exe a variant of Win32/Kryptik.DBC trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\03162010_202216\C_Users\As\AppData\Local\Temp\mdm.exe a variant of Win32/Kryptik.DBC trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\03162010_202216\C_Users\As\AppData\Local\Temp\msinits.exe a variant of Win32/TrojanDownloader.Small.OVD trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\03162010_202216\C_Users\As\AppData\Local\Temp\r1s2a4h .exe a variant of Win32/Kryptik.COL trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\03162010_202216\C_Users\As\AppData\Local\Temp\r1s2a4h .exe a variant of Win32/Kryptik.CNF trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\03162010_202216\C_Users\As\AppData\Local\Temp\user.exe a variant of Win32/Kryptik.DBC trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\03162010_202216\C_Users\As\AppData\Local\Temp\win.exe a variant of Win32/Kryptik.DBC trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\03162010_202216\C_windows\system32\k22hrsjop.dll a variant of Win32/Kryptik.CNY trojan 00000000000000000000000000000000 I
${Memory} multiple threats 00000000000000000000000000000000 I
matrix1539
Active Member
 
Posts: 7
Joined: March 6th, 2010, 3:33 pm

Re: Dr. Gaurd problems.

Unread postby Wingman » March 22nd, 2010, 9:28 am

Hello matrix1539,

I'm very sorry but I have to give you some bad news. :(

You have a "file infector" infection!
The last scan confirmed the depth of the infection. This kind of infection changes file contents, creates new versions of files and spreads itself internally throughout your system. Unfortunately, the scans available could possible delete files that are needed by the system and cause more harm than good. The safest way to remove the infection you have, is to reformat your hard drive and reinstall your operating system.
I can not in good conscience, recommend any other approach as these type of infections spread exponentially and the machine could be so infected that it could not be trusted again.

As this forum is set up for malware removal only, I can provide some links to other forums where you can ask and obtain answers to reformatting and reinstallation questions you may have.

Here are just a few PC forums, that can assist with reformatting and reinstall questions.
These sites have a variety of experts, that are better equipped to investigate and resolve these kinds of issues.
Registration is free, it only takes a few minutes. :)
BleepingComputer.com
The Elder Geek on Windows
WhattheTech...formerly TomCoyote

I'm sorry that I can not offer you more assistance. Please let me know that you have seen this post, at which time I will ask for it to be closed.

Thanks and good luck,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Dr. Gaurd problems.

Unread postby Dakeyras » March 25th, 2010, 9:38 am

Since we have done all we can, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 498 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware